Microsoft Issues First Surface Security Patch

Today is Patch Tuesday and the first security vulnerability fix from Microsoft for the Surface running Windows RT is out. The bug is in Internet Explorer 10 and affects all other versions of IE on other platforms. Unlike other patches, the Surface version is available only via Windows Update.

Microsoft has issued its first security update for the Surface tablet. MS12-077 is a "Cumulative Security Update for Internet Explorer," a bundle of patches for IE that Microsoft issues on a regular basis.

There are three vulnerabilities fixed in this cumulative update, but the attack vectors for 2 of them are blocked in the default configuration of Surface. Microsoft still recommends that users apply the update as a defense-in-depth measure. For Surface, the update is available only through Windows Update.

The one vulnerability that does affect the Surface as shipped is designated CVE-2012-4787 and titled "Improper Ref Counting Use After Free Vulnerability." This is Microsoft's description:

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

This is a variation on a type of vulnerability known as "user after free."

Microsoft rates the exploitability of vulnerabilities and rates this one as "Exploit code likely." But as a practical matter, any real-world exploits of this vulnerability are likely to be written to target Intel-based systems and would fail on Surface running Windows RT, likely crashing the system.

Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.